OIDC with keycloak

catfish · November 23, 2025, 9:50am

It’s very hard.

I create a docker bridge first. docker network create keycloak

docker compose

services:
  mysql:
    image: mysql
    container_name: mysql
    environment:
      - MYSQL_ROOT_PASSWORD=(MYSQL_ROOT_PASSWORD)
      - MYSQL_DATABASE=keycloak
      - MYSQL_USER=(MYSQL_USER)
      - MYSQL_PASSWORD=(MYSQL_PASSWORD)
    ports:
      - 3306:3306
    volumes:
      - /docker/keycloak/mysql:/var/lib/mysql

  keycloak:
    image: quay.io/keycloak/keycloak:26.4.5
    command:  --config-file=/config/keycloak.conf start
    container_name: keycloak
    restart: unless-stopped
    ports:
      - 8080:8080
    volumes:
      - "/docker/keycloak/config:/config"
    depends_on:
      - mysql

networks:
  default:
    name: keycloak
    external: true

/config/keycloak.conf

hostname=keycloak.example.com
proxy-headers=xforwarded

bootstrap-admin-username=tmpadm
bootstrap-admin-password=pass

http-port=8080
http-enabled=true

db=mysql
db-url-host=mysql
db-username=(MYSQL_USER)
db-password=(MYSQL_PASSWORD)
db-schema=keycloak

Keycloak doesn’t recommend use mysql. There will be tons of warning about mysql.

Then use whatever reverse proxy proxy port 8080 and use https://keycloak.example.com.

Waiting this showing in log: Listening on: ``http://0.0.0.0:8080

You know how to read docker log right? docker logs keycloak

Remember the forum will highlight any url start with https as a link, you don’t see it doesn’t mean I didn’t write it. Now go to https://keycloak.example.com to setup. Log in.

In left panel, click Manage realms , Create realm. Realm name : incus. Enabled: on. Click create.

Now Current realm will switch to incus. If not, click Manage realms , click incus.

Click Users, create new user, fill username, create. You will be redirect to User details page. Click credentials, set password, Temporary: off.

Open a new tab, go to https://keycloak.example.com/realms/incus/account for test the new user. You can login, good.

Click Clients, Create client,Client type : OpenID Connect, Client ID: incus, Next.

Client authentication: off. Authentication flow choose Standard flow and Direct access grants. Next. Well, I haven’t read all the doc, you really need to read.

Valid redirect URIs: https://incus.example.com/oidc/callback . Valid post logout redirect URIs: https://incus.example.com/oidc/callback . Save.

You can see this uri for openid config: https://keycloak.example.com/realms/incus/.well-known/openid-configuration

incus config set oidc.client.id=incus
incus config set oidc.issuer=https://keycloak.example.com/realms/incus/
incus config set oidc.scopes=openid,email,profile

Now you can visit https://incus.example.com and login with SSO.